Critical UniFi OS bug lets hackers gain root without authentication By Bill Toulas June 8, 2026 11:51 AM 1 Attackers can chain three already fixed vulnerabilities in the Ubiquiti UniFi OS server to execute remote code with root privileges and without authentication. The security issues are tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. They have been addressed in May and impact UniFi OS Server versions 5.0.6 and earlier. While all three flaws received the maximum severity rating despite their exploitation requiring access to the network, the vendor's advisory did not mention that they could be chained for remote code execution. CVE-2026-34908 is an improper access control flaw that can allow unauthorized changes to vulnerable systems CVE-2026-34909 is a path traversal vulnerability that can expose files on the underlying operating system CVE-2026-34910 is a command injection flaw that can be exploited to execute commands on affected devices Additional technical details from Bishop Fox researchers, who validated the complete attack path on a live UniFi OS Server 5.0.6 instance, show that CVE-2026-34908 and CVE-2026-34909 can be used to bypass authentication and reach a vulnerable endpoint, where CVE-2026-34910 enables command injection. Although the injected commands do not initially run as root, the researchers found that the affected service account's sudo privileges make privilege escalation trivial. According to Bishop Fox, no credentials, user interaction, or prior access are required to obtain a root shell on the target. “A UniFi OS Server is not a generic Linux box; it is the management plane for an organization’s network, including, where those devices are deployed, its physical-access doors, surveillance cameras, and the identities tied to them,” explains Bishop Fox . “Root on the appliance is administrative control over everything the console governs.” Root cause and exploit chain The root cause of the authentication bypass is a mismatch between how UniFi OS validates and routes incoming requests. Specifically, the authentication component evaluates the raw request URI, while Nginx routes requests based on a normalized version of the same URI. By crafting requests that appear to target an authentication-exempt endpoint in their raw form but resolve to protected internal routes after normalization, attackers can bypass authentication and reach backend services that should not be publicly accessible. Once inside, the attackers can target a package-update endpoint with CVE-2026-34910, passing unvalidated user input into a shell command to execute arbitrary commands on the system. The injected commands execute under a highly privileged service account with passwordless sudo access to several system binaries, making escalation to root trivial. Although the researchers validated the RCE chain, they did not share the full details or a working proof of concept (PoC). Detection tool available Bishop Fox has released a free detection script to help defenders discover if their instance is vulnerable to the unauthenticated RCE chain. It does this by safely sending a specially crafted request that reaches the vulnerable code path without executing any dangerous commands, and then classifying the target as “vulnerable,” “patched,” “unaffected,” or “inconclusive.” However, it is important to note that the script does not detect active attacks, whether exploitation has occurred in the past, or if persistence mechanisms or backdoors are present on the target. The researchers note that identifying previous exploitation may be challenging because the attack does not require authentication. “The chain reaches root (we confirmed it) with no credentials and no user interaction, so there is no failed-login trail to look for,” warns Bishop Fox. Apart from the tool, defenders can also look for requests containing ‘/api/auth/validate-sso/’ and monitor requests to ‘ucs/update/latest_package,’ suspicious child processes under ‘ucs-update,’ and unexpected sudo commands. Bishop Fox confirmed that the attack chain doesn’t work on UniFi OS Server 5.0.8, so users should upgrade to this release or later. However, organizations should confirm that the update is installed on a system that has not been compromised. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen. The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Gogs patches critical zero-day enabling remote code execution New Gogs zero-day flaw lets hackers get remote code execution Critical Windows Netlogon RCE flaw now exploited in attacks CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks KnowledgeDeliver flaw exploited as a zero-day to install web shells